• Subscribe to the low volume list for updates.

Archives of Security Research

500K HTTP Headers

Recently we crawled the Top 500K sites (as ranked by Alexa). Following requests from readers we are making available the HTTP Headers for research purposes. Download Headers (75MB) The publication of the statistics of WordPress usage is an example of the research that can be conducted. It is possible to determine Web Applications, Web Servers, […]
Read More

Testing Heartbleed with the Nmap NSE script

Everywhere is buzzing with news of the Heartbleed vulnerability in OpenSSL. If you are living under a rock and have missed it just turn on the mainstream news. Not that you will get much detail there... this is a quick tutorial to show you how to test for the vulnerability using a handy Nmap NSE […]
Read More

Defending WordPress with OSSEC

In a previous post, I covered the ways a WordPress site can be attacked. Using the open source OSSEC the majority of those attacks can be detected and even blocked at the system level. OSSEC is a host based Intrusion Detection System (HIDS). It can also be installed as an Intrusion Prevention System (IPS) as […]
Read More

Attacking & Securing WordPress

Learn the tips and techniques used to attack and break into WordPress based websites. With knowledge of these hacker techniques, you will be better prepared to keep your sites secure. Penetration testers or red teams wishing to exploit WordPress targets will also find helpful pointers in this guide. Enumeration (Recon) 1. WordPress Core Version Enumeration […]
Read More

Top WordPress sites vulnerable 6 wks after plugin patch released

Background on the Vulnerabilities W3 Total Cache and WP Super Cache two of the WordPress communities most popular plugins were found to have a code execution vulnerability. An exploit that enables code execution is about as bad as it gets. New releases of the plugins were released on the 18th of April. The following caching […]
Read More

SPF Checked – a look at the Sender Policy Framework

Heard of SPF but not sure how to pass an SPF check? Lets get back to basics and have a quick look at the SPF DNS record that can make your email delivery more reliable and less likely to hit the spam folder. An SPF record is a DNS TXT record that contains the IP […]
Read More

Online Firewall Test for Work or Home

Firewall Testing is the only way to accurately confirm whether the firewall is working as expected. Complicated firewall rules, poor management interfaces, and other factors often make it difficult to determine the status of a firewall. By using an external port scanner it is possible to accurately determine the firewall status. This type of firewall […]
Read More

There are no WordPress Timthumb Hackers in Mongolia

What is Timthumb? Back in August 2011, a serious vulnerability was discovered in many popular WordPress themes and Plugins. The code enabled automatic thumbnail creation when publishing with the WordPress content management system. While not a part of the WordPress core, the code had been reused by many developers, including both commercial and free theme […]
Read More

Update GeoIP data for Splunk App

If you are using the GeoIP app for Splunk you will find that it has not been updated recently. The last update was June 2011. Following my recent post regarding the installation of Splunk on an Ubuntu based system I started to dig into this app and found that it is a simple matter to […]
Read More

Leading websites that enable IPv6 now at 2.68%

There is a need for web site owners and business to enable IPv6 on networks and public facing Internet services. HackerTarget.com has completed a second survey of the websites in the Alexa Top 1 Million to review the latest progress. The survey tested each host for the presence of an AAAA DNS record. This is […]
Read More